Skip to main content

WPAMS WordPress Plugin CVE-2026-39433

| EUVDEUVD-2026-37468 MEDIUM
Missing Authorization (CWE-862)
2026-06-16 Patchstack
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

Network-accessible WordPress plugin requiring only subscriber authentication (PR:L); deletion-only impact maps solely to availability (A:H), with no confidentiality or integrity effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 17, 2026 - 00:31 vuln.today
Patch available
Jun 16, 2026 - 23:02 EUVD

DescriptionCVE.org

Subscriber Arbitrary Content Deletion in WPAMS < 49.5.3 versions.

AnalysisAI

Arbitrary content deletion in the WPAMS WordPress plugin (versions prior to 49.5.3) by Mojoomla allows any authenticated subscriber-level user to delete content they are not authorized to remove. Rooted in a missing authorization check (CWE-862), this flaw bypasses WordPress capability controls entirely for deletion operations. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register subscriber account on target WordPress site
Delivery
Authenticate and obtain session credentials
Exploit
Craft deletion request targeting WPAMS endpoint
Execution
Submit request bypassing missing authorization check
Impact
Arbitrary content deleted from the site

Vulnerability AssessmentAI

Exploitation Exploitation requires a subscriber-level WordPress account on the target site - confirmed by the CVSS PR:L metric. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) accurately reflects a moderate-to-high severity issue where the attack vector is network-based, complexity is low, and the required privilege is minimal (subscriber). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on a WordPress site running WPAMS prior to 49.5.3, then crafts an authenticated HTTP request targeting the plugin's content deletion endpoint - bypassing the absent authorization check. Without requiring any elevated privileges or administrator interaction, the attacker can systematically delete apartment listings, tenant records, or other managed content, causing significant availability and operational damage to the property management site. …
Remediation Upgrade WPAMS to version 49.5.3 or later, which contains the vendor-released patch per Patchstack advisory and EUVD-2026-37468. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-39433 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy